none
"the certificate types are not available" - Windows 10 + Windows 2016 CA Server RRS feed

  • Question

  • I am facing an issue in the certificate enrollment from windows 10 client PC's

    Usually , when the computer join to domain, the computer automatically gets the certificate from domain.

    Now I noticed the certificates are not getting automatically when we join the computer on the domain.

    I have manually tried to enroll the certificate using 

    MMC > Add Snap in > Certificates (Computer Certificates) > Request new certificate

    I can see the Active Directory certificate enrollment option in this with proper GUID and when I click next , i am getting the "the certificate types are not available" message window and none of the templates are listed..

    When I logged to the same computer with a domain admin account, the enrollment works fine and computer gets the certificate.

    I have checked the permission on the templates > domain computers read and enroll and auto enroll permissions are in place.

    Is this due to any kerberos issue as I am logging to the computer with local admin user.

    Is there any  known bug / any other permission issue..

    Please advise the fixes if any one experienced similar issue .

     


    • Edited by Hashirph Wednesday, September 11, 2019 2:16 PM
    • Moved by Dave PatrickMVP Wednesday, September 11, 2019 4:09 PM
    Wednesday, September 11, 2019 2:13 PM

Answers

  • Thanks for the time for your tests.

    Is this any kind of bug in OS or with any latest patch.

    We used to just join the computer in domain and it gets the certificate automatically.

    But in this scenario, the computer never gets a certificate from domain.

    This below thread says about the context which the enrollment run is a user context and which may be the failure reason. 

    https://social.technet.microsoft.com/Forums/en-US/42fa21f6-99e6-4c5d-920d-c112a2b06ae3/enroll-certificate-from-domain-computer-with-local-user?forum=winserversecurity

    "Since it is a computer certificate and the computer is the only thing that has domain permissions then it must be done as the system context. In your powershell example you are running it as your local account."

    Also there is an enrollment scheduled task  builtin and which I will try to run manually and check this works or not.

    • Marked as answer by Hashirph Sunday, September 15, 2019 4:14 PM
    Friday, September 13, 2019 4:21 PM
  • I did the test today running the scheduled task to obtain the certificate as per the above screenshot.

    The certificate enrollment works fine and machines are getting the certificate.

    So the conclusion is that the certificate enrollment request should run in "System" context if you are using the LDAP enrollment method.

    Local user login +  enrollment using MMC  / cert manager console will not work.

    @Daisy Zhou - Thanks for your time for all the tests..

    • Marked as answer by Hashirph Sunday, September 15, 2019 4:14 PM
    Sunday, September 15, 2019 4:14 PM

All replies

  • Hello,
    Thank you for psoting in our TechNet forum.

    To btetter understand our question, please confirm the following information:

    1. Whether we encounter the issue on all the Win 10 machine (different operating system version,such as Win 10 1709 1803 or 1809) Or only one machine ? 
    If it is only one machine, please provide the operating system version of this Win 10.


    2. What do we mean "local admin user" (built-in Administrator account or other members in local Administrators group) ?

    Or we encounter the issue with built-in Administrator account and other members in local Administrators group?




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 12, 2019 10:04 AM
    Moderator
  • We are using Win 10 1709 &  1803 and both of these versions are showing the similar error

    The builtin administrator ("Administrator" ) and any locally created admin user (example user name  "admin" member of local administrators group iin the computer)  is showing the similar error.

    When I add a "Domain user" to the "Local Administrators" group in the computer and try this certificate enrollment from that domain account , the enrollment happen successfully.

    This looks to me like , the local administrator accounts (locally created user accounts) in the system is not able to read the certificate templates information from the AD.  Only if we use a domain user to enroll the computer certificate ,it works.

    Thursday, September 12, 2019 3:28 PM
  • Hi, 
    According to our description, I did a test on Win 10 1709 and 1803.

    On Win 10 1709, I got the following results:

    I can see computer certificate template with the following accounts logged on:

    local Administrator  
    domain Administrator  
    doamin users added to local Administrators group




    I can NOT see computer certificate template with the following accounts logged on:
    local users added to local Administrators group





    Tips: I can see other clients and servers with different OS version are showing the above behavior.


    On Win 10 1803, I got the following results:

    I can NOT see computer certificate template with the following accounts logged on:

    local Administrator  
    domain Administrator  
    doamin users added to local Administrators group




    local users added to local Administrators group






    So I think all the local users added to local Administrators group should not be able to see computer certificate template (can not see proper GUID as showing above).



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 13, 2019 6:11 AM
    Moderator
  • Thanks for the time for your tests.

    Is this any kind of bug in OS or with any latest patch.

    We used to just join the computer in domain and it gets the certificate automatically.

    But in this scenario, the computer never gets a certificate from domain.

    This below thread says about the context which the enrollment run is a user context and which may be the failure reason. 

    https://social.technet.microsoft.com/Forums/en-US/42fa21f6-99e6-4c5d-920d-c112a2b06ae3/enroll-certificate-from-domain-computer-with-local-user?forum=winserversecurity

    "Since it is a computer certificate and the computer is the only thing that has domain permissions then it must be done as the system context. In your powershell example you are running it as your local account."

    Also there is an enrollment scheduled task  builtin and which I will try to run manually and check this works or not.

    • Marked as answer by Hashirph Sunday, September 15, 2019 4:14 PM
    Friday, September 13, 2019 4:21 PM
  • I did the test today running the scheduled task to obtain the certificate as per the above screenshot.

    The certificate enrollment works fine and machines are getting the certificate.

    So the conclusion is that the certificate enrollment request should run in "System" context if you are using the LDAP enrollment method.

    Local user login +  enrollment using MMC  / cert manager console will not work.

    @Daisy Zhou - Thanks for your time for all the tests..

    • Marked as answer by Hashirph Sunday, September 15, 2019 4:14 PM
    Sunday, September 15, 2019 4:14 PM
  • Hi,
    Thank you for your update and sharing. I’m very glad that the problem has been solved.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you! 

    Havea a nice day!

     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 16, 2019 1:03 AM
    Moderator